Coinmama, a site that is supposed to “make it fast, safe and fun” to buy Bitcoins and Etherium with a credit card, has suffered a data breach that has resulted in almost half a million customers having their personal details breached.

Coinmama says that it believes the breached data involves approximately 450,000 email addresses and hashed passwords of users who registered for accounts up until August 5th, 2017.

In an advisory published on its website, Coinmama linked the data leak to a wider wave of breaches that has affected at least 30 different websites (including MyFitnessPal, Houzz, and Coffee Meets Bagel) and impacted hundreds of millions of users.

The data is being sold on underground criminal websites in batches for tens of thousands of dollars.

In the latest data bundle offered by the hacker calling themselves Gnosticplayers, Coinmama’s 450,000 records are being offered alongside:

57 million records stolen from interior design site Houzz

40 million records stolen from video streaming site YouNow

18 million records stolen from travel booking site Ixigo

5 million records stolen from multiplayer online game Stronghold Kingdoms

4 million records stolen from tabletop role-playing gaming site Roll20

1.8 million records stolen from file sharing site Ge.tt

1 million records stolen from pet care delivery service PetFlow

The Coinmama-related data is currently being offered by the hacker for 0.351 Bitcoin (US $1358), with the promise of as many as 70,000 cracked passwords.

Clearly, Coinmama users would be wise to change their password at the earliest opportunity – particularly if they created their account before August 2017. Furthermore, it makes sense – as with all data breaches which may lead to passwords being exposed – to ensure that the same password is not being reused anywhere else on the internet.

Interestingly, security researchers have noticed that many of the databases breached by Gnosticplayers appear to have been running the same software: PostgreSQL.

There is considerable speculation that the hacker may have exploited a vulnerability in the open source PostgreSQL software to trick websites into spilling their precious data.

According to TechCrunch, the coders who work on PostgreSQL are not aware of any current security holes – patched or unpatched – that might have been exploited by the hacker to steal the data.

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” said Jonathan Katz. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”

However the hacker is gaining access to so much sensitive data on so many websites, it would seem sensible to me for businesses who are running PostgreSQL to take a close look at their infrastructure.

After all, it’s better to find the security holes in your website yourself rather than wait for a malicious hacker to break in.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.